Full Disclosure mailing list archives
Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
From: James Condron <james () zero-internet org uk>
Date: Mon, 5 Sep 2011 01:43:33 +0100
Paul, I only run windows on one machine, my workstation in the office, so my results aren't indicative of every system- indeed this may be a quirk of our AD, in which case I'll be talking to one of my colleagues with my friend Mr. Crowbar, but both extensions you list were executable. Admittedly I haven't checked all of the others yet, mileage may vary. Either way there is no accounting for taste; some cases will make this less an attack in and of its self and more will show this as a further social engineering payload, albeit one which requires tricking someone to download several layers of code and still executing it. On 4 Sep 2011, at 23:54, paul.szabo () sydney edu au wrote:
Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dllMany people commented that the above extensions are "executable" already, so are (should be) treated with caution, or that they can be trojaned directly without any DLL load shenanigans. However... looking at http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx I do not see JS listed as executable, though JSE is listed. Looking at http://msdn.microsoft.com/en-us/library/ms722429.aspx I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP machine, none of the above extensions are "designated". Maybe DLL hijacking is useful for some of these file types, after all? Cheers, Paul Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking paul . szabo (Sep 05)
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking James Condron (Sep 05)
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Mario Vilas (Sep 05)
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Thor (Hammer of God) (Sep 05)
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Georgi Guninski (Sep 06)
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking root (Sep 05)
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Mario Vilas (Sep 05)
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Thor (Hammer of God) (Sep 05)
- <Possible follow-ups>
- Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Valdis . Kletnieks (Sep 05)